Sunday, September 28, 2014

Harper, CSEC, and metadata

Comments made by Prime Minister Stephen Harper in New York on September 24th have raised questions about CSEC's use of metadata and about how well the prime minister understands CSEC's activities.

The comments came in an exchange between the prime minister and Wall Street Journal editor-in-chief Gerard Baker during a live interview in front of a New York business audience:

Baker: How do you deal with this challenge between, on the one hand, individual liberty and the need for security? Canada is a country which takes very seriously the notion of human rights and individual rights and is understandably protective of those, and yet, you know, there has been this whole furore here in the United States and around the world about government surveillance. And yet we're starting to see that perhaps some of that government surveillance actually, whether you like it or not, is perhaps necessary actually to avert some of these threats and to stop some of these radicalized people coming and doing these terrible things. How do you get that balance right between on the one hand protecting the security of your people and preserving their right to go about their lives?

Harper: Well, I think broadly the answer to that is actually quite straightforward—which is that you focus your energies: you have, obviously, a system that can identify potential threats, track them, and zero in on surveillance on those particular threats, as opposed to systems that are just broadly based on widespread surveillance of everyone. I’m not a big believer in those kinds of systems, not just because they have the potential to infringe civil liberty, but they usually overwhelm you with data in a way that you can’t actually process or make any use of. So the real challenge, I think, is using these tools, and using them in a way that you can focus in on the people you know are actually going down the wrong path. Just as, frankly, we would do with much traditional crime: we try and focus on people we know become associated with criminal gangs or criminal activity. We don't focus on entire cities or entire populations from which they come.

Baker: Yeah, but, again, the U.S. law enforcement authorities would say that—especially the use of metadata to figure out patterns in phone conversations and that kind of stuff—that's how you do sift down this enormous amount of data, and you can establish that in order to do that effectively, to trace whether some guy in Buffalo is planning to either fly out to the Middle East or blow up a plane somewhere, it's very important to detect patterns in that guy's mobile phone conversations at home and abroad. And that's how you do it, isn't it? Isn't that how you do it?

Harper: Well, they may say that.

Baker: Do you do that in Canada?

Harper: We don't do that in Canada. We don't use metadata as a surveillance tool. And as you note we have had not only radicalized individuals, we have broken up plots and actions of individuals who were planning terrorist actions, and we've done that through targeted, on-the-ground surveillance of people.

Transcription by me. You can watch the entire exchange here (discussion starts around 2:40).

If the prime minister's comments were intended to deny that CSEC uses metadata at all, then he was certainly wrong and should have known better.

CSEC's reliance on metadata has been acknowledged officially many times. CSEC Chief John Forster testified in April, for example, that the agency uses metadata

for three things. One is to understand global communication networks, so we use it to analyze networks so that when we're searching for a foreign target, it helps us to find where our best chance of success is in identifying targets in a sea of billions of communications. Two, we use it to make sure that we're actually targeting a foreign communication and not a Canadian communication. Three, we use metadata to help us detect and identify cyber-attacks against government systems and the information they contain. We can only use metadata either to understand global networks and analyze them, or to define our foreign targets. We don't use it to identify or target Canadians.

It is possible that the prime minister was wrong or was simply being disingenuous, but I suspect his remarks were actually, as their context suggests, intended specifically to refer to the possible use of domestic Canadian metadata to systematically analyze the telephone and/or internet activities of Canadians in order to identify previously unknown suspicious individuals or activities.

The NSA does "contact chaining" searches through both domestic and international metadata, including metadata concerning its Five Eyes allies, and it also does broader, "pattern of life" searches through at least some of that data. We also know that at least some Canadian metadata is shared with those allies, and presumably subjected to some of these analyses.

With respect to Canada itself, we know that CSEC has access to a significant amount of Canadian metadata (although how comprehensive, we don't know) and that the agency can be called upon to analyze such data in support of domestic investigations. The 2006 version of OPS-1-10, Procedures for Metadata Analysis, a CSEC policy document, noted that specific procedures exist for handling domestic metadata analysis: "Metadata analysis conducted in support of Federal Law Enforcement or Security Agencies (LESAs) to obtain Security or Criminal Intelligence (mandated under paragraph 273.64(1)(c) of the NDA, known as ‘Mandate C’) is handled only in accordance with OPS-4-1, Procedures for CSE Assistance to Canadian Federal Law Enforcement or Security Agencies, and OPS-4-2, Procedures for CSE Assistance Under Section 12 of the CSIS Act."

In April 2014, Chief Forster confirmed CSEC's continued support to domestic agencies in this respect: "Again, although we collect metadata, it's very much limited in its use to our existing mandate, which is foreign intelligence collection and cyber-defence. The restrictions we have around that is to understand global networks to find foreign targets. We're not using it to target Canadians or anyone in Canada for our intelligence-gathering activities unless we're assisting CSIS and RCMP under a court warrant." (emphasis added)

Clearly, CSEC can and does use metadata in support of targeted domestic investigations undertaken by Canadian law enforcement and security agencies. And such support probably includes "contact chaining" analysis of those targets. CSEC can also analyze metadata related to its foreign intelligence targets located outside Canada, even if that data extends back into Canada (e.g., a Canadian telephone number in contact with a target in Yemen).

But can CSEC trawl through Canadian metadata searching for suspicious activities or connections without a direct connection to a specific individual targeted for specific reasons?

I think perhaps this is what the prime minister was saying CSEC does not do.

It would be interesting to know if this is indeed what he meant, and if so, if he was right.